Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here's how events are unfolding along with unanswered questions.

1 2 3 Page 2
Page 2 of 3

Russia's National Computer Incident Response & Coordination Center published a list of more than 17,500 IP addresses, and 174 internet domains it says are involved in ongoing distributed denial-of-service attacks on Russian domestic targets. The Center also issued recommendations on how to ward off DDoS attacks.

March 2: Russian group moved laterally on Ukrainian nuclear power company's network.

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that a Russian group moved laterally on the network of a Ukrainian nuclear power company.

March 3: Ukraine accuses hackers of spreading false information

Ukraine's State Service of Special Communication and Information Protection said that an undisclosed number of official websites of "regional authorities and local governments" had been hijacked and used to spread "lies" about a deal to end the fighting prompted by Russia's invasion. Ukraine says the "enemy" was responsible for the information. Russia denied using hackers to go after its foes.

March 3: Hackers compromised Russian space institute

Hackers compromised a website connected to Russia's Space Research Institute (IKI), which designs and builds scientific instruments for space experiments. The hackers, purportedly part of a wave of vigilante hackers that took up digital arms following Russia's invasion of Ukraine, defaced a section of IKI's website to post vulgar, anti-Russian messages.

March 4: Fancy Bear compromised government network in Vinnytsia

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said the STRONTIUM threat group, also known as Fancy Bear or APT28, compromised a government network in Vinnytsia.

March 5: Ukraine says Russian cyberattacks are nonstop

Ukraine's State Service of Special Communications and Information Protection (USSSCIP) said, "Russian hackers keep on attacking Ukrainian information resources nonstop." The agency said that sites belonging to the presidency, parliament, the cabinet, the ministry of defense, and the ministry of internal affairs were among those hit by distributed denials of service (DDoS) attacks.

March 5: Anonymous claims FSB website take-down

The hacktivist collective Anonymous claims it took down the website of the Federal Security Service (FSB) of Russia. The group further claimed it took down 2,500 websites in Russia and Belarus in support of Ukraine.

March 6: Cybercom's secret "cybermissions" revealed

Sources say that secret forces from the United States Cyber Command known as "cybermission teams" are in place across Eastern Europe to interfere with Russia's digital attacks and communications. Although most elements of these teams are classified, it is clear that the cybermissions have tracked some familiar targets, including the activities of the G.R.U., Russia's military intelligence operations, to neutralize them. Microsoft has helped in some of these activities.

March 7: Anonymous claims hack into Russian TV

The Anonymous group took responsibility for hacking into the Russian streaming services of state television channels, which the Russian authorities use for propaganda and fake news. The group claimed it hacked into the Russian streaming services Wink and Ivi (like Netflix) and live TV channels Russia 24, Channel One, and Moscow 24 to broadcast war footage from Ukraine.

March 7: Belarus conducts phishing attacks against Polish military, Ukrainian officials revealed

Google's Threat Analysis Group said that Russia's ally Belarus conducted widespread phishing attacks against members of the Polish military and Ukrainian officials. Google also warned hundreds of Ukrainian residents about government-backed hacking attempts in the past year, most of them from Russia.

March 8: Hacktivist crew uses phone bombing software to plead with Russian citizens

The hacktivist crew known as The International Legion Information Technology Battalion 300 (ILIT300) claimed to have phone bombing software created by Ukrainian hacktivists to send out pleas to Russian citizens in the hopes that they would speak out against the conflict in Ukraine. The ILIT300 dubbed their operation #OpPhoneKiss. Nataliya Vasilyeva, a Telegraph Moscow correspondent, confirmed she received one of the phone calls.

March 8: Russian government websites compromised through stats widget

The Russian Ministry of Economic Development press service said some of Russia's federal agencies' websites were compromised in a supply chain attack after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies. The hackers were able to publish incorrect content on the pages of the websites.

March 9: Cybercriminals exploit Ukrainian sympathizers

Researchers at Cisco Talos say opportunistic cybercriminals are trying to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools initially advertised. One threat actor offered a DDoS attack tool for use against Russians. Instead, he delivered an information stealer that infected the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.

March 11: Attacks on Russian sites escalated in March

Rostelecom-Solar, the cybersecurity arm of telecom company Rostelecom, the largest digital services provider in Russia, said efforts to disrupt the operations of company websites in Russia jumped in March, with the number of distributed denials of service (DDoS) attacks already exceeding by mid-March those for the whole of February. Russian government entities and state-owned companies were targeted, with the websites of the Kremlin, flagship carrier Aeroflot and major lender Sberbank among those who experienced outages or temporary access issues.

March 11: Dnipro government agency targeted with destructive implant

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that a Dnipro government agency was targeted with a destructive implant.

March 15: Ukraine Secret Service detains "hacker" helping Russian troops route phone calls

The Security Service of Ukraine (SSU) said it detained a "hacker" who was providing technical assistance to Russian troops in Ukraine by routing phone calls on their behalf. The hacker also sent text messages to Ukrainian security forces suggesting they surrender.

March 15: Feds warn of Russian state actors exploiting MFA, PrintNightmare flaws

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through the exploitation of default multi-factor authentication (MFA) protocols and a critical Windows Print Spooler vulnerability called PrintNightmare to run arbitrary code with system privileges.

March 18: Developer sabotages own code to wipe computers in Russia, Belarus

RIAEvangelist, the maintainer of a popular open-source software called node-ipc, faced criticism for deliberately sabotaging their own code to wipe data on computers that used the program in Russia and Belarus. The altered versions of the software deleted all data, overwrote all files on developer's machines, and created new text files with "peace" messages.

March 21: Feds reiterate warning of potential malicious Russian cyber activity

In a statement from the White House, President Biden reiterated that "Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we've imposed on Russia alongside our allies and partners." He also urged "private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year." White House cyber advisor Anne Neuberger also appeared at a press briefing to urge "companies to take the steps within your control to act immediately to protect the services millions of Americans rely on and to use the resources the federal government makes available.

March 21: Russia's top bank warns of malware-laden protestware

Sberbank, Russia's largest bank, warned its users to stop updating software due to the threat of "protestware," open-source projects whose authors altered their code in opposition to Moscow's invasion of Ukraine. Although most of the protestware simply conveys antiwar messages, one project contained malicious code to wipe computers in Russia and Belarus.

March 24: U.S. intel analysts say Russia was behind Viasat cyberattack

U.S. intelligence analysts concluded that Russian military spy hackers were behind the cyberattack on Viasat's satellite broadband service that disrupted Ukraine's military communications at the start of the war last month. However, the U.S. government did not formally or publicly attribute that attack to Russia.

March 25: U.S., UK charge four Russian officials with critical infrastructure hacking

The U.S. Justice Department and British Foreign Office charged four Russian officials with the malicious hacking of critical infrastructure around the globe, including the U.S. energy and aviation sectors, between 2012 and 2018. One of the officials charged was an employee at a Russian military research institute accused of working with co-conspirators in 2017 to hack a foreign refinery's systems and install malicious software. The British Foreign Office suggested that the timing of the charges was directly related to Russian President Vladimir Putin's "unprovoked and illegal war in Ukraine."

March 27: Top Ukrainian broadband provider knocked out in cyberattack

Top terrestrial Ukrainian internet and telephone service provider Ukrtelecom was hit by  a massive cyberattack that knocked out its services for hours. Russia denies any involvement in the attack.

March 29: Russia accuses U.S. of malicious attacks

In what some see as an omen that Russia plans to ramp up its malicious cyber activity, the Russian foreign ministry accused the United States of leading a massive "cyber aggression" campaign behind hundreds of thousands of malicious attacks a day while Russia has troops in Ukraine. The foreign ministry said it believed Ukraine's government, which in February announced the formation of an "IT army," was involved and had launched an "offensive cyber force."

March 30: Viasat official says cyberattacks are ongoing

Viasat said that the multifaceted cyberattack that struck its KA-SAT network resulted in a partial interruption of KA-SAT's consumer-oriented satellite broadband service, crippling tens of thousands of modems. One Viasat official said that the attacks are ongoing with repeated attempts by the attacker to test the new defenses the company has raised.

March 30: Nation-state threat actors are exploiting Ukraine invasion in malicious campaigns

Google's Threat Analysis Group said that as part of its efforts to track malicious cyber activity related to Russia's invasion of Ukraine, it had observed government-backed actors from China, Iran, North Korea, and Russia, and various unattributed groups, using Ukraine war-related themes to get targets to open malicious emails or click malicious links. In addition, financially motivated and criminal actors are also using current events to target users.

April 1: CaddyWiper used against Ukrainian government entity

ESET reports that CaddyWiper malware was deployed against a Ukrainian governmental entity on April 1.

April 5: CERT-UA says Armageddon threat group targeted organizations with espionage-related malware.

The Computer Emergency Response Team of Ukraine (CERT-UA) spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon (Gamaredon) that tried to trick victims with lures related to the war to install espionage-focused malware. One attempt targeted Ukrainian organizations, and the other focused on government agencies in the European Union.

April 6: U.S. admits secretly removing malware to thwart Russians

U.S. Attorney General Merrick B. Garland said that armed with secret court orders, the United States secretly removed malware from computer networks around the world, a step to pre-empt Russian cyberattacks and send a message to President Putin of Russia. Although it was unclear what the malware was intended to do, it enabled the Russians to create "botnets" controlled by the G.R.U., the intelligence arm of the Russian military.

April 7: Meta reveals Ghostwriter hacking group campaign

Facebook parent Meta released an adversarial threat report about a hacking group known as "Ghostwriter," which experts believe is linked to Belarus. The campaign targeted Ukrainian soldiers and civilians, including posing as journalists and independent news outlets online to push Russian talking points and seeking to hack the soldiers' accounts. Meta said it had removed a network of about 200 accounts operated from Russia that repeatedly filed false reports about people in Ukraine and Russia to get them and their posts removed from the platform

April 12:  CERT-UA reveals Industroyer2 attack on energy facility

The Government Computer Emergency Response Team of Ukraine CERT-UA responded to an attack on an energy facility in Ukraine that used a new variant of Industroyer malware called Industroyer2, attributed to the Russian state threat group Sandworm. The attack also used several other destructive malware weapons, including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED.

April 19: Sandworm launches destructive attack on Lviv-based logistics provider

1 2 3 Page 2
Page 2 of 3
7 hot cybersecurity trends (and 2 going cold)